To better explain my point, I can see people finding it more intuitive to do:
Hi, <untrusted>$first_name $last_name</untrusted>, your e-mail is
<untrusted>$email</untrusted>.
(i.e., not having to worry what transformation to apply to the
offending content)... than they currently find it to do:
Hi, $html_escape_variant3(first_name . " " . last_name), your e-mail
is $html_escape_variant3(email).
But I do not think it will be any simpler for them to do:
Hi, $seamless_srcdoc_sandbox(first_name . " " . last_name), your
e-mail is $seamless_srcdoc_sandbox(email).
...and if they then see that the resulting document is littered with
incomprehensible base64 (and is necessarily slower to render), they
will probably develop a healthy aversion to this approach, too.
In fact, there are interesting semantic side benefits to the first
approach - think search engines and automated security testing, where
the ability to distinguish between owner-originating page content and
user-controlled parts would be extremely useful.
I might be wrong that the first approach is realistically any better
than the second; the difference is subtle. And in any case, we don't
know how to make it happen (DOM tree responses aside). But I'm really
puzzled as to why people think that the last approach is much more
likely to work than the second for that basic use case (it works OK
for a small subset of more complex ones).
/mz